Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Caching Terraform providers #3001

Merged
merged 235 commits into from
Apr 10, 2024
Merged

Caching Terraform providers #3001

merged 235 commits into from
Apr 10, 2024

Conversation

levkohimins
Copy link
Contributor

@levkohimins levkohimins commented Mar 14, 2024

Description

Using the implemented built-in private registry, Terragrunt caches Terraform providers without using plugin_cache_dir, thereby ensuring that multiple Terraform processes can safely run concurrently.

Fixes #2920.

@levkohimins levkohimins marked this pull request as ready for review March 16, 2024 00:17
Name: FlagNameTerragruntProviderCacheDir,
Destination: &opts.ProviderCacheDir,
EnvVar: "TERRAGRUNT_PROVIDER_CACHE_DIR",
Usage: "The path to the cache directory. Default is .terragrunt-cache/provider-cache in the working directory.",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would we default to the working directory? Doesn't that mean we store the cache in a different folder each time based on where you happened to run a TG command from? If so, doesn't that mean that the TG cache isn't reused across commands?

Seems like we should default to the home folder: e.g., ~/.terragrunt/provider-cache.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using the same directory by multiple TG processes could cause a conflict, the same as running multiple TF processes with the same PluginCacheDir path. I modified the code, now Terragrunt Provider Cache uses a flock to prevent this.

Now it uses the native Go function https://pkg.go.dev/os#UserCacheDir + "terragrunt/providers" to determine the default cache directory.

Name: FlagNameTerragruntRegistryToken,
Destination: &opts.RegistryToken,
EnvVar: "TERRAGRUNT_REGISTRY_TOKEN",
Usage: "The Token for connecting to the built-in Private Registry server. By default generated automatically.",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should call it "Private Registry." A Private Registry has a different connotation in the TF world: https://developer.hashicorp.com/terraform/registry/private. Perhaps we should call it "Terragrunt Provider Proxy" or "Terragrunt Provider Cache" or similar?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree. Renamed to "Terragrunt Provider Cache".

Name: FlagNameTerragruntRegistryHostname,
Destination: &opts.RegistryHostname,
EnvVar: "TERRAGRUNT_REGISTRY_HOSTNAME",
Usage: "The hostname of the built-in Private Registry server. Default is 'localhsot'.",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Usage: "The hostname of the built-in Private Registry server. Default is 'localhsot'.",
Usage: "The hostname of the built-in Private Registry server. Default is 'localhost'.",

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

Comment on lines 36 to 37
// HTTPStatusCacheProviderReg is regular expression to determine the success result of the command `terraform lock providers -platform=cache provider`.
var HTTPStatusCacheProviderReg = regexp.MustCompile(`(?mi)` + strconv.Itoa(controllers.HTTPStatusCacheProvider) + `[^a-z0-9]*` + http.StatusText(controllers.HTTPStatusCacheProvider))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: consider including an example of the type of text you're trying to match.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Included

Name: FlagNameTerragruntRegistryToken,
Destination: &opts.RegistryToken,
EnvVar: "TERRAGRUNT_REGISTRY_TOKEN",
Usage: "The Token for connecting to the built-in Private Registry server. By default generated automatically.",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the format for the token? Can it be any value that's hard to guess? I noticed our auto-generated value is something like x-api-token:<UUID>. Does the value the user passes in have to have a similar format to work?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use https://github.com/labstack/echo/tree/master/middleware which supports different tokens, but currently only x-api-token is available, the value can be any text except the empty string.
Thanks for pointing this out to me. I changed the code to not force users to add the x-api-token: prefix

Token string
}

func (auth *Authorization) Auth(bearerToken string, ctx echo.Context) (bool, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: please add a comment on why we have a check for a token here.

NIT: update the docs (the .md ones I mean) with info on this token as well. Users need to understand this feature enables a server on localhost, and how we protect that server.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated.

}

// Run starts the webserver and workers.
func (server *Server) Run(ctx context.Context) error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if you run multiple TG commands concurrently on the same system? Will they clash because they both try to fire up a server on the same port?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was like that. Now the free port of the port is resolved automatically.

errGroup.Go(func() error {
return server.providerService.RunCacheWorker(ctx)
})
errGroup.Go(func() error {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need "unit tests" for this server. I say "unit test," because it's perhaps closer to an integration test, but I'd really like to have tests that just test this server as a single unit: run server, hit various endpoints, check they work as expected, check auth is enforced, check multiple concurrent servers work, etc.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added the unit test.

@@ -197,6 +199,82 @@ const (
fixtureDownload = "fixture-download"
)

func TestTerragruntProviderCache(t *testing.T) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding this test!

Given the rather large impact this has across all TG functionality, could we find a way to run all TG integration tests with (a) caching enabled and (b) caching disabled? I want to be sure all existing functionality still works with caching.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added tasks with provider cache.

registryName = "registry.opentofu.org"
}

for subDir, providers := range providers {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this test have some way of validating that each provider was downloaded and stored exactly once?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, it does all these checks.

ShutdownTimeout time.Duration
}

func NewConfig() *Config {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Function NewConfig() seems not to be used, or is it invoked somehow through reflection?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.


const (
// name using for the discovery
porviderName = "providers.v1"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

porvider 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks.

trappedMsgs []string
}

func NewTrapWriter(writer io.Writer, reg *regexp.Regexp) *TrapWriter {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will be helpful to add description on how TrapWriter can be used, tests also may be helpful

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added.

@levkohimins
Copy link
Contributor Author

levkohimins commented Apr 8, 2024

Hm, I'm not sure this answers my question. Normally, when you run terraform init, it does the following:

  1. Go out and download providers into the cache (if not there already) and record their hash into the lock file.
  2. Check that the hash of the binary matches the hash in the lock file.

I want to make sure we're not losing the check in (2) when provider caching is enabled.

Thinking through the use cases:

  1. If there is a lock file already, we run terraform providers lock, download the providers into the cache, and then run terraform init, which will check the providers in the cache against the ones in the lock file. So I believe this should work as expected.

  2. If there is no lock file, then there are two possibilities:

    1. By default, we run terraform providers lock as above, then terraform init, but on this init, we tell Terraform to create the lock file from the data in the cache. But did anyone check that the binaries we downloaded into the cache actually match the hashes in their hash files? If Terragrunt provider cache doesn't check hashes, and Terraform creates the partial lock file from the cache, is there any hash checking?
    2. If the user passes in a flag, then we have the module create the full lock file, and so it seems like this will do a full hash check, and work as expected.

without --terragrunt-provider-cache-disable-partial-lock-file, TG does

  • terraform providers lock -platform=cache_provider
  • terraform init + env TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE

In this case, TF trusting files from the cache, creates the lock file. TG also doesn't check the hashes. So there are no checks. I don't know what kind of check we can do here.

with --terragrunt-provider-cache-disable-partial-lock-file, TG does

  • terraform providers lock -platform=cache_provider it also caches archive files of the providers
  • terraform providers lock requests all three files from the Cache server, the large one (archive .zip) is returned from the cache and rest two are handled via proxy. Ultimately a complete lock file will be created.
  • terraform init If the hashes from the lock file do not match to the unpacked providers from the cache dir, TF returns an error.

@brikis98
Copy link
Member

brikis98 commented Apr 8, 2024

without --terragrunt-provider-cache-disable-partial-lock-file, TG does

  • terraform providers lock -platform=cache_provider
  • terraform init + env TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE

In this case, TF trusting files from the cache, creates the lock file. TG also doesn't check the hashes. So there are no checks. I don't know what kind of check we can do here.

Yea, this is the part that worries me: the lack of hash/signature checking. Is there any way to ensure that happens?

@levkohimins
Copy link
Contributor Author

levkohimins commented Apr 8, 2024

Additional:

without --terragrunt-provider-cache-disable-partial-lock-file, TG does

  • terraform providers lock -platform=cache_provider
  • terraform init + env TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE

In this case, TF trusting files from the cache, creates the lock file. TG also doesn't check the hashes. So there are no checks. I don't know what kind of check we can do here.

Yea, this is the part that worries me: the lack of hash/signature checking. Is there any way to ensure that happens?

Good question. If we don't have a full lock file, we need to check the binaries' providers ourselves. Do this every time TG starts or only at the moment when we cache the provider. In theory, we could carry out a similar check of what TF does when creating lock files, to say for sure, I need to investigate this.
But this is definitely not a quick task, so it’s probably best to implement this separately.

@levkohimins
Copy link
Contributor Author

levkohimins commented Apr 8, 2024

without --terragrunt-provider-cache-disable-partial-lock-file, TG does

  • terraform providers lock -platform=cache_provider
  • terraform init + env TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE

In this case, TF trusting files from the cache, creates the lock file. TG also doesn't check the hashes. So there are no checks. I don't know what kind of check we can do here.

Yea, this is the part that worries me: the lack of hash/signature checking. Is there any way to ensure that happens?

Good question. If we don't have a full lock file, we need to check the binaries' providers hashes ourselves. Do this every time TG starts or only at the moment when we cache the provider. In theory, we could carry out a similar check of what TF does when creating lock files. But to say for sure, I need to investigate this. But this is definitely not a quick task, so it’s probably best to implement this separately.

If this is critical, we could make this flag --terragrunt-provider-cache-disable-partial-lock-file enabled by default, and add another --terragrunt-provider-cache-enable-partial-lock-file

@brikis98
Copy link
Member

brikis98 commented Apr 9, 2024

without --terragrunt-provider-cache-disable-partial-lock-file, TG does

  • terraform providers lock -platform=cache_provider
  • terraform init + env TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE

In this case, TF trusting files from the cache, creates the lock file. TG also doesn't check the hashes. So there are no checks. I don't know what kind of check we can do here.

Yea, this is the part that worries me: the lack of hash/signature checking. Is there any way to ensure that happens?

Good question. If we don't have a full lock file, we need to check the binaries' providers hashes ourselves. Do this every time TG starts or only at the moment when we cache the provider. In theory, we could carry out a similar check of what TF does when creating lock files. But to say for sure, I need to investigate this. But this is definitely not a quick task, so it’s probably best to implement this separately.

If this is critical, we could make this flag --terragrunt-provider-cache-disable-partial-lock-file enabled by default, and add another --terragrunt-provider-cache-enable-partial-lock-file

I'd prefer to keep partial lock files enabled by default, as the whole point of provider caching is to go much faster.

That said, hash & signature checking is important.

With the partial lock file stuff, does TF not check the signature or has at all?

@levkohimins
Copy link
Contributor Author

levkohimins commented Apr 9, 2024

without --terragrunt-provider-cache-disable-partial-lock-file, TG does

  • terraform providers lock -platform=cache_provider
  • terraform init + env TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE

In this case, TF trusting files from the cache, creates the lock file. TG also doesn't check the hashes. So there are no checks. I don't know what kind of check we can do here.

Yea, this is the part that worries me: the lack of hash/signature checking. Is there any way to ensure that happens?

Good question. If we don't have a full lock file, we need to check the binaries' providers hashes ourselves. Do this every time TG starts or only at the moment when we cache the provider. In theory, we could carry out a similar check of what TF does when creating lock files. But to say for sure, I need to investigate this. But this is definitely not a quick task, so it’s probably best to implement this separately.

If this is critical, we could make this flag --terragrunt-provider-cache-disable-partial-lock-file enabled by default, and add another --terragrunt-provider-cache-enable-partial-lock-file

I'd prefer to keep partial lock files enabled by default, as the whole point of provider caching is to go much faster.

That said, hash & signature checking is important.

With the partial lock file stuff, does TF not check the signature or has at all?

For new entries in the lock file, the signature and hash are not checked at all. To check, TF needs to download the rest two files, but it doesn’t do this with partial lock (enabled TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE), but if the hash already exists in the lock file and a provider file has been modified in the cache , it shows an error - mismatch hashes.

@levkohimins
Copy link
Contributor Author

levkohimins commented Apr 10, 2024

Addition to the previous comment

The only way is to check the provider by hash and signature using the Terragrunt cache server. Every time the cache server receives a request initiated by the terraform providers lock -platform=cache_provider command, it downloads the remaining two files and checks the provider file, even if this provider already exists in the cache dir.

Thinking out loud:

  • SHA256Sum is received from the remote registry, checks the archive itself, but we store the unpacked providers. Thus, we will have to create an archive of the previously cached provider in order to check its hash then delete the archive to free up space and so every time.

  • terraform lock providers requests providers even they already exist in the lock file, which is not effective if we assume that the lock file already contains 9 providers (hashes) and we need to add a hash for new one.

@levkohimins
Copy link
Contributor Author

levkohimins commented Apr 10, 2024

  • terraform lock providers requests providers even they already exist in the lock file, which is not effective if we assume that the lock file already contains 9 providers (hashes) and we need to add a hash for new one.

I have an idea to solve the issue above, is to use terraform init instead of terraform providers lock -platform=cache_provider, on the same principle, in two requests.

  • run terraform init without provider_installation (not to use cache dir), which will force terraform to send requests to get only those providers that are not in the lock file. The cache server:
    • Returns the 429 response. (the same as now)
    • Downloads the provider if necessary (the same as now), but each time it downloads the signature and hashes to check the archive.
  • run TF_PLUGIN_CACHE_MAY_BREAK_DEPENDENCY_LOCK_FILE=1 terraform init with provider_installation to create provider symlinks from the cache directory.

Replacing terraform init with terraform providers lock -platform=cache_provider itself should be a simple task since almost nothing needs to be changed.

@levkohimins
Copy link
Contributor Author

In any case, I would suggest merging this pull request first and then making the changes separately. Since after each new update in the master branch I have to resolve conflicts.

Copy link
Member

@brikis98 brikis98 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Roger. PR approved. Let's file a bug and figure out the signature/hash check thing next!

@levkohimins levkohimins merged commit 5e6dd70 into master Apr 10, 2024
3 checks passed
@levkohimins
Copy link
Contributor Author

Thanks for the review! Created issue #3047.

Merging and creating a new release.

@levkohimins
Copy link
Contributor Author

Resolved in v0.56.4 release. Make sure to read Provider Caching.

@jmreicha
Copy link

Hey @levkohimins great work! Just want to make sure I fully understand - this solution addresses the concurrency race condition present in Terraform where providers fail to download if multiple downloads happen at the same time, is that correct?

@levkohimins
Copy link
Contributor Author

Hey @levkohimins great work! Just want to make sure I fully understand - this solution addresses the concurrency race condition present in Terraform where providers fail to download if multiple downloads happen at the same time, is that correct?

Hey @jmreicha, you are absolutely right.

@jmreicha
Copy link

Amazing. This is huge, really good stuff guys.

renovate bot added a commit to scottames/dots that referenced this pull request Apr 12, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Update | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|---|
|
[GoogleContainerTools/skaffold](https://togithub.com/GoogleContainerTools/skaffold)
| patch | `v2.11.0` -> `v2.11.1` |
[![age](https://developer.mend.io/api/mc/badges/age/github-releases/GoogleContainerTools%2fskaffold/v2.11.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/github-releases/GoogleContainerTools%2fskaffold/v2.11.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/github-releases/GoogleContainerTools%2fskaffold/v2.11.0/v2.11.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/github-releases/GoogleContainerTools%2fskaffold/v2.11.0/v2.11.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
| [aquaproj/aqua-registry](https://togithub.com/aquaproj/aqua-registry)
| minor | `v4.158.0` -> `v4.160.0` |
[![age](https://developer.mend.io/api/mc/badges/age/github-releases/aquaproj%2faqua-registry/v4.160.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/github-releases/aquaproj%2faqua-registry/v4.160.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/github-releases/aquaproj%2faqua-registry/v4.158.0/v4.160.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/github-releases/aquaproj%2faqua-registry/v4.158.0/v4.160.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
| [dwisiswant0/tlder](https://togithub.com/dwisiswant0/tlder) | minor |
`v0.0.1` -> `v0.1.0` |
[![age](https://developer.mend.io/api/mc/badges/age/github-releases/dwisiswant0%2ftlder/v0.1.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/github-releases/dwisiswant0%2ftlder/v0.1.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/github-releases/dwisiswant0%2ftlder/v0.0.1/v0.1.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/github-releases/dwisiswant0%2ftlder/v0.0.1/v0.1.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
| [eza-community/eza](https://togithub.com/eza-community/eza) | patch |
`v0.18.9` -> `v0.18.10` |
[![age](https://developer.mend.io/api/mc/badges/age/github-releases/eza-community%2feza/v0.18.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/github-releases/eza-community%2feza/v0.18.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/github-releases/eza-community%2feza/v0.18.9/v0.18.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/github-releases/eza-community%2feza/v0.18.9/v0.18.10?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
|
[gruntwork-io/terragrunt](https://togithub.com/gruntwork-io/terragrunt)
| patch | `v0.56.2` -> `v0.56.5` |
[![age](https://developer.mend.io/api/mc/badges/age/github-releases/gruntwork-io%2fterragrunt/v0.56.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/github-releases/gruntwork-io%2fterragrunt/v0.56.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/github-releases/gruntwork-io%2fterragrunt/v0.56.2/v0.56.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/github-releases/gruntwork-io%2fterragrunt/v0.56.2/v0.56.5?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
| [helm/helm](https://togithub.com/helm/helm) | patch | `v3.14.3` ->
`v3.14.4` |
[![age](https://developer.mend.io/api/mc/badges/age/github-releases/helm%2fhelm/v3.14.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/github-releases/helm%2fhelm/v3.14.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/github-releases/helm%2fhelm/v3.14.3/v3.14.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/github-releases/helm%2fhelm/v3.14.3/v3.14.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
| [rhysd/hgrep](https://togithub.com/rhysd/hgrep) | patch | `v0.3.5` ->
`v0.3.6` |
[![age](https://developer.mend.io/api/mc/badges/age/github-releases/rhysd%2fhgrep/v0.3.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/github-releases/rhysd%2fhgrep/v0.3.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/github-releases/rhysd%2fhgrep/v0.3.5/v0.3.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/github-releases/rhysd%2fhgrep/v0.3.5/v0.3.6?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
| [sigstore/cosign](https://togithub.com/sigstore/cosign) | patch |
`v2.2.3` -> `v2.2.4` |
[![age](https://developer.mend.io/api/mc/badges/age/github-releases/sigstore%2fcosign/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/github-releases/sigstore%2fcosign/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/github-releases/sigstore%2fcosign/v2.2.3/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/github-releases/sigstore%2fcosign/v2.2.3/v2.2.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
| [snyk/cli](https://togithub.com/snyk/cli) | minor | `v1.1287.0` ->
`v1.1288.0` |
[![age](https://developer.mend.io/api/mc/badges/age/github-releases/snyk%2fcli/v1.1288.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/github-releases/snyk%2fcli/v1.1288.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/github-releases/snyk%2fcli/v1.1287.0/v1.1288.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/github-releases/snyk%2fcli/v1.1287.0/v1.1288.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
| [trunk-io/launcher](https://trunk.io) | patch | `1.3.0` -> `1.3.1` |
[![age](https://developer.mend.io/api/mc/badges/age/npm/trunk-io%2flauncher/1.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/trunk-io%2flauncher/1.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/trunk-io%2flauncher/1.3.0/1.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/trunk-io%2flauncher/1.3.0/1.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>GoogleContainerTools/skaffold
(GoogleContainerTools/skaffold)</summary>

###
[`v2.11.1`](https://togithub.com/GoogleContainerTools/skaffold/releases/tag/v2.11.1):
Release

[Compare
Source](https://togithub.com/GoogleContainerTools/skaffold/compare/v2.11.0...v2.11.1)

### v2.11.1 Release - 2024-04-09

**Linux amd64**
`curl -Lo skaffold
https://storage.googleapis.com/skaffold/releases/v2.11.1/skaffold-linux-amd64
&& chmod +x skaffold && sudo mv skaffold /usr/local/bin`

**Linux arm64**
`curl -Lo skaffold
https://storage.googleapis.com/skaffold/releases/v2.11.1/skaffold-linux-arm64
&& chmod +x skaffold && sudo mv skaffold /usr/local/bin`

**macOS amd64**
`curl -Lo skaffold
https://storage.googleapis.com/skaffold/releases/v2.11.1/skaffold-darwin-amd64
&& chmod +x skaffold && sudo mv skaffold /usr/local/bin`

**macOS arm64**
`curl -Lo skaffold
https://storage.googleapis.com/skaffold/releases/v2.11.1/skaffold-darwin-arm64
&& chmod +x skaffold && sudo mv skaffold /usr/local/bin`

**Windows**

https://storage.googleapis.com/skaffold/releases/v2.11.1/skaffold-windows-amd64.exe

**Docker image**
`gcr.io/k8s-skaffold/skaffold:v2.11.1`

**Full Changelog**:
GoogleContainerTools/skaffold@v2.11.0...v2.11.1

Highlights:

Fixes:

-   fix: Windows binary properly signed

</details>

<details>
<summary>aquaproj/aqua-registry (aquaproj/aqua-registry)</summary>

###
[`v4.160.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v4.160.0)

[Compare
Source](https://togithub.com/aquaproj/aqua-registry/compare/v4.159.0...v4.160.0)


[Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.160.0)
| [Pull
Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.160.0)
| aquaproj/aqua-registry@v4.159.0...v4.160.0

#### 🎉 New Packages


[#&#8203;21798](https://togithub.com/aquaproj/aqua-registry/issues/21798)
[Songmu/make2help](https://togithub.com/Songmu/make2help): Utility for
self-documented Makefile
[@&#8203;lamanotrama](https://togithub.com/lamanotrama)

#### Fixes


[#&#8203;21747](https://togithub.com/aquaproj/aqua-registry/issues/21747)
jetpack-io/devbox: Rename the package `jetpack-io/devbox` to
jetify-com/devbox

The GitHub Repository of the package `jetpack-io/devbox` was transferred
from [jetpack-io/devbox](https://togithub.com/jetpack-io/devbox) to
[jetify-com/devbox](https://togithub.com/jetify-com/devbox).

#### 🎉 New Contributors

Thank you for your contribution!

[@&#8203;lamanotrama](https://togithub.com/lamanotrama)
[#&#8203;21798](https://togithub.com/aquaproj/aqua-registry/issues/21798)

###
[`v4.159.0`](https://togithub.com/aquaproj/aqua-registry/releases/tag/v4.159.0)

[Compare
Source](https://togithub.com/aquaproj/aqua-registry/compare/v4.158.0...v4.159.0)


[Issues](https://togithub.com/aquaproj/aqua-registry/issues?q=is%3Aissue+milestone%3Av4.159.0)
| [Pull
Requests](https://togithub.com/aquaproj/aqua-registry/pulls?q=is%3Apr+milestone%3Av4.159.0)
| aquaproj/aqua-registry@v4.158.0...v4.159.0

#### 🎉 New Packages


[#&#8203;21629](https://togithub.com/aquaproj/aqua-registry/issues/21629)
[Bearer/gon](https://togithub.com/Bearer/gon): Sign, notarize, and
package macOS CLI tools and applications written in any language.
Available as both a CLI and a Go library

[#&#8203;21659](https://togithub.com/aquaproj/aqua-registry/issues/21659)
[koyeb/koyeb-cli](https://togithub.com/koyeb/koyeb-cli): Koyeb cli

#### Fixes


[#&#8203;21718](https://togithub.com/aquaproj/aqua-registry/issues/21718)
dwisiswant0/tlder: Follow up changes of tlder v0.1.0


dwisiswant0/tlder@b61d4d1


[#&#8203;21719](https://togithub.com/aquaproj/aqua-registry/issues/21719)
oligot/go-mod-upgrade: Follow up changes of go-mod-upgrade v0.10.0


oligot/go-mod-upgrade@afcc585

</details>

<details>
<summary>dwisiswant0/tlder (dwisiswant0/tlder)</summary>

###
[`v0.1.0`](https://togithub.com/dwisiswant0/tlder/releases/tag/v0.1.0)

[Compare
Source](https://togithub.com/dwisiswant0/tlder/compare/v0.0.1...v0.1.0)

#### Changelog

- [`b61d4d1`](https://togithub.com/dwisiswant0/tlder/commit/b61d4d1)
chore: update goreleaser config
- [`409bb73`](https://togithub.com/dwisiswant0/tlder/commit/409bb73)
build: bump mod, lib, & data
([#&#8203;5](https://togithub.com/dwisiswant0/tlder/issues/5))
- [`226387f`](https://togithub.com/dwisiswant0/tlder/commit/226387f)
Update funding
- [`af8252d`](https://togithub.com/dwisiswant0/tlder/commit/af8252d)
workflow: Add expression if DB isn't updated

</details>

<details>
<summary>eza-community/eza (eza-community/eza)</summary>

###
[`v0.18.10`](https://togithub.com/eza-community/eza/releases/tag/v0.18.10):
eza v0.18.10

[Compare
Source](https://togithub.com/eza-community/eza/compare/v0.18.9...v0.18.10)

### Changelog

#### \[0.18.10] - 2024-04-11

##### Bug Fixes

-   Bump trycmd from 0.15.0 to 0.15.1

##### Miscellaneous Tasks

-   Release eza v0.18.10

##### Build

-   Bump nu-ansi-term from 0.49.0 to 0.50.0

### Checksums

#### sha256sum

0fb41abd0893d20814bda552906796df7df544192cfc099d1c703f75bc921c93
./target/bin-0.18.10/eza_aarch64-unknown-linux-gnu.tar.gz
f1e32e4c733a8a6aacab0059574067d59824c9940669128d4d53815c3efb7b70
./target/bin-0.18.10/eza_aarch64-unknown-linux-gnu.zip
92b98cf94ab280439adb8a40ba2ae02cdc8c48c027dc5ded550658179a49bb7a
./target/bin-0.18.10/eza_arm-unknown-linux-gnueabihf.tar.gz
859adf0ee66de6ec4e5319dfbfc28b06ffe0796e9a6d8d35bb97b2625f202eea
./target/bin-0.18.10/eza_arm-unknown-linux-gnueabihf.zip
9909671c047ec3e14914cc4294737a3be7cda2802b50b00e3f88571f4be8fb2d
./target/bin-0.18.10/eza.exe_x86_64-pc-windows-gnu.tar.gz
e8d793cf5c7748b40b7aea208a0d34c95b948f8be09ba41576b12c8d255f4cd4
./target/bin-0.18.10/eza.exe_x86_64-pc-windows-gnu.zip
7aeb494792b9b189b994a66821f04317aa83b148f3318aaf976d2a92a5a8a7f5
./target/bin-0.18.10/eza_x86_64-unknown-linux-gnu.tar.gz
02e9561d24a2324f10ea33ad586feb9251e3a2bec9e301a756d7f447613ca6c3
./target/bin-0.18.10/eza_x86_64-unknown-linux-gnu.zip
cf2591499606663d2d042103e46a4936d765203025220f83d707309ca1138480
./target/bin-0.18.10/eza_x86_64-unknown-linux-musl.tar.gz
c6a1d2bc5a1d07edf7d7d4412243efa353d8dde8ab625565639cd88ac40e572b
./target/bin-0.18.10/eza_x86_64-unknown-linux-musl.zip

#### md5sum

317c691e0acd23a92acbca36b9530df2
./target/bin-0.18.10/eza_aarch64-unknown-linux-gnu.tar.gz
490f37045257aa0a9a96b732ddf88275
./target/bin-0.18.10/eza_aarch64-unknown-linux-gnu.zip
c3e876c1acf2ffe17499accfc0169a4a
./target/bin-0.18.10/eza_arm-unknown-linux-gnueabihf.tar.gz
2111c22b49bb1f84b0944f1796bc52b6
./target/bin-0.18.10/eza_arm-unknown-linux-gnueabihf.zip
f33f53084a83829aec1cb6ea1e95b4b5
./target/bin-0.18.10/eza.exe_x86_64-pc-windows-gnu.tar.gz
f9d2209064985b3a3f25f4fd93a3ba50
./target/bin-0.18.10/eza.exe_x86_64-pc-windows-gnu.zip
6963c57fe424dedd6bbec3bda8a1348a
./target/bin-0.18.10/eza_x86_64-unknown-linux-gnu.tar.gz
a89f081b34680290865c3e5202c58cd1
./target/bin-0.18.10/eza_x86_64-unknown-linux-gnu.zip
12a48353f895d2c25ea12ad3f83004c0
./target/bin-0.18.10/eza_x86_64-unknown-linux-musl.tar.gz
59b064c01c047e662ed0851df902852c
./target/bin-0.18.10/eza_x86_64-unknown-linux-musl.zip

#### blake3sum

5e76aee096d97a0b3400980c1585c9a404baabe904e8836a585a6e7ded1eb86a
./target/bin-0.18.10/eza_aarch64-unknown-linux-gnu.tar.gz
5e286f555267b930910557e1d8ac6572b6da7d4407b783a8b40bde3ea099b87a
./target/bin-0.18.10/eza_aarch64-unknown-linux-gnu.zip
f680686c3ca07ae09d8fe536f8d667bac78e7a1b22d1feca26f408ff725634b3
./target/bin-0.18.10/eza_arm-unknown-linux-gnueabihf.tar.gz
463c3fd66e19a1b8d7df1205242f28231f31c9693cb2366bd006128922d1d162
./target/bin-0.18.10/eza_arm-unknown-linux-gnueabihf.zip
19df35e31a5a1a8655454647e442e6c8cfab600a6f3d8063eb9261c16585f6ed
./target/bin-0.18.10/eza.exe_x86_64-pc-windows-gnu.tar.gz
57f6630b5ee31d25c2db190e7373adf494b9ee0c576770620e7f461af74d9513
./target/bin-0.18.10/eza.exe_x86_64-pc-windows-gnu.zip
0f3dbe0c9ef795d95ef60def43646e1eb940f4d0072f51d6e9a7061b4a0d8ab8
./target/bin-0.18.10/eza_x86_64-unknown-linux-gnu.tar.gz
2c1d0b151f485db7ca1587228c94a5758170f3beed2972c80291460128370fe4
./target/bin-0.18.10/eza_x86_64-unknown-linux-gnu.zip
2d06b1606a355a9708950f04c4cc0faa928e7330ee5d7b02da969489a0ef478e
./target/bin-0.18.10/eza_x86_64-unknown-linux-musl.tar.gz
b0f07242a9a799577ea559a6a74511f011e59fb96fc741096c999225456e8191
./target/bin-0.18.10/eza_x86_64-unknown-linux-musl.zip

</details>

<details>
<summary>gruntwork-io/terragrunt (gruntwork-io/terragrunt)</summary>

###
[`v0.56.5`](https://togithub.com/gruntwork-io/terragrunt/releases/tag/v0.56.5)

[Compare
Source](https://togithub.com/gruntwork-io/terragrunt/compare/v0.56.4...v0.56.5)

#### Updated CLI args, config attributes and blocks

-   `apply -destroy`

#### Description

-   Fixes destroy order for `apply -destroy` alias command

#### Related links

-
[gruntwork-io/terragrunt#3011

###
[`v0.56.4`](https://togithub.com/gruntwork-io/terragrunt/releases/tag/v0.56.4)

[Compare
Source](https://togithub.com/gruntwork-io/terragrunt/compare/v0.56.3...v0.56.4)

#### Updated CLI args, config attributes and blocks

-   `--terragrunt-provider-cache`
-   `--terragrunt-provider-cache-dir`
-   `--terragrunt-provider-cache-disable-partial-lock-file`
-   `--terragrunt-provider-cache-registry-names`
-   `--terragrunt-provider-cache-hostname`
-   `--terragrunt-provider-cache-port`
-   `--terragrunt-provider-cache-token`

#### Description

- Caching Terraform providers,
[docs](https://terragrunt.gruntwork.io/docs/features/provider-cache/)

#### Related links

-
[gruntwork-io/terragrunt#3001

###
[`v0.56.3`](https://togithub.com/gruntwork-io/terragrunt/releases/tag/v0.56.3)

[Compare
Source](https://togithub.com/gruntwork-io/terragrunt/compare/v0.56.2...v0.56.3)

#### Description

-   Fixes slow destroy of config deeply nested in config hierarchy

#### Related links

-
[gruntwork-io/terragrunt#3015

</details>

<details>
<summary>helm/helm (helm/helm)</summary>

### [`v3.14.4`](https://togithub.com/helm/helm/releases/tag/v3.14.4):
Helm v3.14.4

[Compare
Source](https://togithub.com/helm/helm/compare/v3.14.3...v3.14.4)

Helm v3.14.4 is a patch release. Users are encouraged to upgrade for the
best experience. Users are encouraged to upgrade for the best
experience.

The community keeps growing, and we'd love to see you there!

- Join the discussion in [Kubernetes
Slack](https://kubernetes.slack.com):
    -   for questions and just to hang out
    -   for discussing PRs, code, and bugs
- Hang out at the Public Developer Call: Thursday, 9:30 Pacific via
[Zoom](https://zoom.us/j/696660622)
- Test, debug, and contribute charts:
[ArtifactHub/packages](https://artifacthub.io/packages/search?kind=0)

#### Installation and Upgrading

Download Helm v3.14.4. The common platform binaries are here:

- [MacOS amd64](https://get.helm.sh/helm-v3.14.4-darwin-amd64.tar.gz)
([checksum](https://get.helm.sh/helm-v3.14.4-darwin-amd64.tar.gz.sha256sum)
/ 73434aeac36ad068ce2e5582b8851a286dc628eae16494a26e2ad0b24a7199f9)
- [MacOS arm64](https://get.helm.sh/helm-v3.14.4-darwin-arm64.tar.gz)
([checksum](https://get.helm.sh/helm-v3.14.4-darwin-arm64.tar.gz.sha256sum)
/ 61e9c5455f06b2ad0a1280975bf65892e707adc19d766b0cf4e9006e3b7b4b6c)
- [Linux amd64](https://get.helm.sh/helm-v3.14.4-linux-amd64.tar.gz)
([checksum](https://get.helm.sh/helm-v3.14.4-linux-amd64.tar.gz.sha256sum)
/ a5844ef2c38ef6ddf3b5a8f7d91e7e0e8ebc39a38bb3fc8013d629c1ef29c259)
- [Linux arm](https://get.helm.sh/helm-v3.14.4-linux-arm.tar.gz)
([checksum](https://get.helm.sh/helm-v3.14.4-linux-arm.tar.gz.sha256sum)
/ 962297c944c06e1f275111a6e3d80e37c9e9e8fed967d4abec8efcf7fc9fb260)
- [Linux arm64](https://get.helm.sh/helm-v3.14.4-linux-arm64.tar.gz)
([checksum](https://get.helm.sh/helm-v3.14.4-linux-arm64.tar.gz.sha256sum)
/ 113ccc53b7c57c2aba0cd0aa560b5500841b18b5210d78641acfddc53dac8ab2)
- [Linux i386](https://get.helm.sh/helm-v3.14.4-linux-386.tar.gz)
([checksum](https://get.helm.sh/helm-v3.14.4-linux-386.tar.gz.sha256sum)
/ 2cb3ff032be1c39b7199b324d58d0ae05bc4fe49b9be6aa2fcbeb3fc03f1f9e7)
- [Linux ppc64le](https://get.helm.sh/helm-v3.14.4-linux-ppc64le.tar.gz)
([checksum](https://get.helm.sh/helm-v3.14.4-linux-ppc64le.tar.gz.sha256sum)
/ d0d625b43f6650ad376428520b2238baa2400bfedb43b2e0f24ad7247f0f59b5)
- [Linux s390x](https://get.helm.sh/helm-v3.14.4-linux-s390x.tar.gz)
([checksum](https://get.helm.sh/helm-v3.14.4-linux-s390x.tar.gz.sha256sum)
/ a5750d0cb1ba34ce84ab3be6382a14617130661d15dd2aa1b36630b293437936)
- [Linux riscv64](https://get.helm.sh/helm-v3.14.4-linux-riscv64.tar.gz)
([checksum](https://get.helm.sh/helm-v3.14.4-linux-riscv64.tar.gz.sha256sum)
/ 925782b159392d52df5ebab88e04e695217325894c6a32a9a779e865b7e32411)
- [Windows amd64](https://get.helm.sh/helm-v3.14.4-windows-amd64.zip)
([checksum](https://get.helm.sh/helm-v3.14.4-windows-amd64.zip.sha256sum)
/ 0b951db3eadd92dfe336b5a9ddb0640e5cd70d39abdbd7d3125e9fb59b22b669)

This release was signed with ` 672C 657B E06B 4B30 969C 4A57 4614 49C2
5E36 B98E ` and can be found at
[@&#8203;mattfarina](https://togithub.com/mattfarina) [keybase
account](https://keybase.io/mattfarina). Please use the attached
signatures for verifying this release using `gpg`.

The [Quickstart Guide](https://helm.sh/docs/intro/quickstart/) will get
you going from there. For **upgrade instructions** or detailed
installation notes, check the [install
guide](https://helm.sh/docs/intro/install/). You can also use a [script
to
install](https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3)
on any system with `bash`.

#### What's Next

-   3.15.0 is the next feature release and will be on May 08, 2024.

#### Changelog

- refactor: create a helper for checking if a release is uninstalled
[`81c902a`](https://togithub.com/helm/helm/commit/81c902a123462fd4052bc5e9aa9c513c4c8fc142)
(Alex Petrov)
- fix: reinstall previously uninstalled chart with --keep-history
[`5a11c76`](https://togithub.com/helm/helm/commit/5a11c768386dab08ff026fb1001e592ab0a033f8)
(Alex Petrov)
- chore: remove repetitive words
[`fb3d880`](https://togithub.com/helm/helm/commit/fb3d8805f017d898f9e88667829c21874a8f6166)
(deterclosed)
- chore(deps): bump google.golang.org/protobuf from 1.31.0 to 1.33.0
[`01ac4a2`](https://togithub.com/helm/helm/commit/01ac4a2c36d49e691982f85f4243fe449876fb5d)
(dependabot\[bot])
- chore(deps): bump github.com/docker/docker
[`138602d`](https://togithub.com/helm/helm/commit/138602da27a6ba67564d298e7b07f5624a341b88)
(dependabot\[bot])
- bug: add proxy support for oci getter
[`aa7d953`](https://togithub.com/helm/helm/commit/aa7d95333d5fbc1ea9ed20cc56f011c068e004be)
(Ricardo Maraschini)

</details>

<details>
<summary>rhysd/hgrep (rhysd/hgrep)</summary>

###
[`v0.3.6`](https://togithub.com/rhysd/hgrep/blob/HEAD/CHANGELOG.md#v036---06-Apr-2024)

[Compare
Source](https://togithub.com/rhysd/hgrep/compare/v0.3.5...v0.3.6)

- Add `-u`/`--unrestricted` flags to built-in ripgrep (`ripgrep`
feature). This flag reduces the level of "smart" filtering by repeated
uses (up to 2). A single flag `-u` is equivalent to `--no-ignore`. Two
flags `-uu` are equivalent to `--no-ignore --hidden`. Unlike ripgrep,
three flags `-uuu` are not supported since hgrep doesn't support
`--binary` flag.
    ```sh
    ```

</details>

<details>
<summary>sigstore/cosign (sigstore/cosign)</summary>

###
[`v2.2.4`](https://togithub.com/sigstore/cosign/blob/HEAD/CHANGELOG.md#v224)

[Compare
Source](https://togithub.com/sigstore/cosign/compare/v2.2.3...v2.2.4)

#### Bug Fixes

- Fixes for GHSA-88jx-383q-w4qc and GHSA-95pr-fxf5-86gv
([#&#8203;3661](https://togithub.com/sigstore/cosign/issues/3661))
- ErrNoSignaturesFound should be used when there is no signature
attached to an image.
([#&#8203;3526](https://togithub.com/sigstore/cosign/issues/3526))
- fix semgrep issues for dgryski.semgrep-go ruleset
([#&#8203;3541](https://togithub.com/sigstore/cosign/issues/3541))
- Honor creation timestamp for signatures again
([#&#8203;3549](https://togithub.com/sigstore/cosign/issues/3549))

#### Features

- Adds Support for Fulcio Client Credentials Flow, and Argument to Set
Flow Explicitly
([#&#8203;3578](https://togithub.com/sigstore/cosign/issues/3578))

#### Documentation

- add oci bundle spec
([#&#8203;3622](https://togithub.com/sigstore/cosign/issues/3622))
- Correct help text of triangulate cmd
([#&#8203;3551](https://togithub.com/sigstore/cosign/issues/3551))
- Correct help text of verify-attestation policy argument
([#&#8203;3527](https://togithub.com/sigstore/cosign/issues/3527))
- feat: add OVHcloud MPR registry tested with cosign
([#&#8203;3639](https://togithub.com/sigstore/cosign/issues/3639))

#### Testing

- Refactor e2e-tests.yml workflow
([#&#8203;3627](https://togithub.com/sigstore/cosign/issues/3627))
- Clean up and clarify e2e scripts
([#&#8203;3628](https://togithub.com/sigstore/cosign/issues/3628))
- Don't ignore transparency log in tests if possible
([#&#8203;3528](https://togithub.com/sigstore/cosign/issues/3528))
- Make E2E tests hermetic
([#&#8203;3499](https://togithub.com/sigstore/cosign/issues/3499))
- add e2e test for pkcs11 token signing
([#&#8203;3495](https://togithub.com/sigstore/cosign/issues/3495))

</details>

<details>
<summary>snyk/cli (snyk/cli)</summary>

### [`v1.1288.0`](https://togithub.com/snyk/cli/releases/tag/v1.1288.0)

[Compare
Source](https://togithub.com/snyk/cli/compare/v1.1287.0...v1.1288.0)

##### Bug Fixes

- add --experimental flag for snyk code test
([#&#8203;5151](https://togithub.com/snyk/snyk/issues/5151))
([08647f2](https://togithub.com/snyk/snyk/commit/08647f295dd92ceb206a4f1b99e3b1905eab016e))
- make download of CLI in language server more resilient under windows
\[IDE-90] ([#&#8203;5155](https://togithub.com/snyk/snyk/issues/5155))
([1e51948](https://togithub.com/snyk/snyk/commit/1e5194853a3183629a9fad9679fc83e7b8d4d4cb))

##### Features

- bump language server protocol version to 11 \[IDE-236]
([#&#8203;5156](https://togithub.com/snyk/snyk/issues/5156))
([fc41937](https://togithub.com/snyk/snyk/commit/fc41937f14f647e43e2b21b93ce3cc261a3de468))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 4pm on thursday" in timezone
America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/scottames/dots).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: scottames-github-bot[bot] <162828115+scottames-github-bot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add guidance/features for reducing disk space and bandwidth usage
4 participants